- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-06-2016 03:43 AM
Hi all,
We're having some difficulties with DHCP Relay on PA 7.0.5. Our setup looks like this:
Client <-> L2 SW <-> PA <-> L3 SW <-> DHCP Server
We use a VLAN sub-interface on the PA as the default gateway for that subnet and I configured DHCP Relay for this interface. Now the PA sends the relayed DHCP packets out the same sub-interface. On Cisco you can configure the source-interface for the relay agent - (config)#ip dhcp-relay source interface lo0 - but I have not found this option on the PA.
Does anyone have a solution for this?
Thank you and kind regards,
Atarimasu
10-06-2016 03:10 PM
Hello,
For DHCP relay setup go to Networking->DHCP->DHCP relay, there you setup the interface that will relay the packets to the DHCP server. Also you may/will need security policies to allow the traffic to go between the the zones.
Hope this helps.
10-06-2016 03:36 PM
By default, DHCP relays put their source address in the DHCP packet. In your example for Cisco devices, you aren't required to use the source interface command.
I don't believe your method of forwarding the DHCP traffic back out the same sub-interface to an L3 switch will work. Even though DHCP uses UDP, I believe the PA needs to see the entire DHCP communication operation.
Your traffic flow will be:
client-(Discovery)>PA->L3->DHCP_Server(offer)->L3->Client(request)->PA. Once the request operation hits the PA, I think it will drop it since it sess the request without ever seeing the offer from the server.
Can you send the relay traffic through the PA instead of hairping out the same subinterface?
10-07-2016 01:13 AM - edited 10-07-2016 01:25 AM
@RFalconer wrote:By default, DHCP relays put their source address in the DHCP packet. In your example for Cisco devices, you aren't required to use the source interface command.
I don't believe your method of forwarding the DHCP traffic back out the same sub-interface to an L3 switch will work. Even though DHCP uses UDP, I believe the PA needs to see the entire DHCP communication operation.
Your traffic flow will be:
client-(Discovery)>PA->L3->DHCP_Server(offer)->L3->Client(request)->PA. Once the request operation hits the PA, I think it will drop it since it sess the request without ever seeing the offer from the server.
Can you send the relay traffic through the PA instead of hairping out the same subinterface?
Thanks for your reply.
The L3 SW is not actually routing traffic between the DHCP Server and the Subnet. All traffic to and from this subnet go through the PA. And that is the problem with the Relay - the PA sends the DHCP Relay out the same isolated Subnet leading to nowhere.
The traffic pattern right now is:
VLAN10(Discovery broadcast) -> PA -> VLAN10(Unicast to DHCP-Server)
instead of:
VLAN10(Discovery broadcast) -> PA -> VLAN20(Unicast to DHCP-Server)
But the routing table points the DHCP-Server out of VLAN 20 - why would the PA then send the relayed packets out of VLAN 10 sub-interface?
10-07-2016 01:24 AM - edited 10-07-2016 01:25 AM
@OtakarKlier wrote:Hello,
For DHCP relay setup go to Networking->DHCP->DHCP relay, there you setup the interface that will relay the packets to the DHCP server. Also you may/will need security policies to allow the traffic to go between the the zones.
Hope this helps.
Thanks for your reply.
So the DHCP Relay config goes on the Interface that sends the packets and not the interface that is connected to the subnet of the clients? But then how do we define on which Interfaces PA will listen for DHCP packets?
I also don't get how a rule would look in that case. The DHCP Discover messages are sent from 0.0.0.0 to 255.255.255.255 - The broadcast will be terminated at the Interface so how would I make a rule that allowed that broadcast to go to the DHCP Relay enabled Interface without L2 briding?
Kind regards
10-07-2016 10:16 AM
Are the interfaces on the PA in vlan 10 and 20 in different zones? If so, you will need to have a policy to permit the traffic.
The relay configuration should be on the interface where your clients are, vlan 10 subinterface, forwarding to the server on vlan 20.
Is the DHCP server on the same subnet as the vlan 20 interface of the PA?
If you give a static address to a host on vlan 10, can it access the DHCP server, just with a ping?
10-10-2016 04:25 AM - edited 10-10-2016 04:26 AM
@RFalconer wrote:Are the interfaces on the PA in vlan 10 and 20 in different zones? If so, you will need to have a policy to permit the traffic.
The relay configuration should be on the interface where your clients are, vlan 10 subinterface, forwarding to the server on vlan 20.
Is the DHCP server on the same subnet as the vlan 20 interface of the PA?
If you give a static address to a host on vlan 10, can it access the DHCP server, just with a ping?
Thanks for your reply RFalconer,
The interfaces are in different zones and I also created the Rule to allow DHCP traffic in between. The PA is not in a VLAN of a DHCP Server, so we route the DHCP Relayed packets. The clients cannot ping or initiate traffic to other subnets as per security-requirement, so I cannot test that. But connectivity from the FW to the DHCP server is fine.
We have now tested many different things and have found out that I forgot to set DHCP snooping trust on the Switch..... Unfortunately, this dumb mistake was not the source of the problem. The DHCP Relay works now - but only with 1 DHCP Relay Server... As soon as I add a 2nd Server the DHCP Relay stops working ...
I have also found a known issue in 7.0.5 which would explain the PA sending the relayed Packets out the same interface it received the discovery on.
92934 Fixed an issue where a firewall configured for DHCP relay (with multiple DHCP relays or in certain firewall virtual system configurations) rebroadcast a DHCP packet on the same interface that received the packet, which caused a broadcast storm. With this fix, the firewall drops duplicate broadcasts instead of retransmitting them.
This probably means that it's a general bug in 7.0.5 and we'll have to find another solution until we get approval for the PAN-OS upgrade. But thank you all for your help!!! :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!